Additional Materials:

Contact:

The Internal Revenue Service (IRS) has a demanding responsibility in collecting taxes, processing tax returns, and enforcing the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations. Effective information security controls are essential for ensuring that information is adequately protected from inadvertent or deliberate misuse, disruption, or destruction. As part of its audit of IRS's fiscal year 2005 financial statements, GAO assessed (1) the status of IRS's actions to correct or mitigate previously reported information security weaknesses at two sites and (2) whether controls over key financial and tax processing systems located at the facilities are effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer data.

IRS has made progress in correcting or mitigating previously reported information security weaknesses and in implementing controls over key financial and tax processing systems that are located at two of its critical data processing sites. It has corrected or mitigated 41 of the 81 specific technical weaknesses that we reported as unresolved at the time of our last review at those selected sites. Although IRS has made progress, controls over its key financial and tax processing systems located at two sites were ineffective. In addition to the 40 previously reported weaknesses for which IRS has not completed actions, GAO identified new information security control weaknesses that threaten the confidentiality, integrity, and availability of IRS's financial information systems and the information they process. For example, IRS has not implemented effective electronic access controls related to network management, user accounts and passwords, user rights and file permissions, and logging and monitoring of security-related events. In addition, it has not effectively implemented other information security controls to physically secure computer resources, and to prevent exploitation of vulnerabilities and unauthorized changes to system software. Collectively, these weaknesses increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification, or loss, possibly without detection, and place IRS operations at risk of disruption. A key reason for IRS's weaknesses in information security controls is that it has not yet fully implemented an information security program to ensure that effective controls are established and maintained. Until IRS fully implements a comprehensive agencywide information security program, its facilities and computing resources and the information that is processed, stored, and transmitted on its systems will remain vulnerable.

Recommendations for Executive Action

Status: Closed - Implemented

Comments: In fiscal year 2008, we verified that IRS had taken action to ensure that remedial action plans were complete and up-to-date.

Recommendation: To help establish effective information security over key financial systems, data, and interconnected networks, the Commissioner of the Internal Revenue Service should ensure that remedial action plans are complete and up to date.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: In fiscal year 2008, we verified that contractors had received specialized training as required by IRS policy.

Recommendation: To help establish effective information security over key financial systems, data, and interconnected networks, the Commissioner of the Internal Revenue Service should ensure contractors with significant information security responsibilities are provided with sufficient specialized training.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: In fiscal year 2008, we verified that IRS had updated system security plans to address nonmajor applications.

Recommendation: To help establish effective information security over key financial systems, data, and interconnected networks, the Commissioner of the Internal Revenue Service should review system security plans to ensure that they appropriately address nonmajor applications.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: IRS enhanced its policies and procedures related to password age and configuration settings to comply with federal guidelines.

Recommendation: To help establish effective information security over key financial systems, data, and interconnected networks, the Commissioner of the Internal Revenue Service should enhance policies and procedures related to password age and configuration settings to comply with federal guidelines.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: In 2010 we observed that trained off-site staff have access to the recovery procedures. In addition, IRS has updated its recovery and business resumption plans, as well as installed Unix-based hardware and equipment at its disaster recovery hot-site.

Recommendation: To help establish effective information security over key financial systems, data, and interconnected networks, the Commissioner of the Internal Revenue Service should continue to enhance continuity of operations capabilities by (1) training non-IRS staff to restore operations, (2) updating disaster recovery plans to include disaster recovery procedures for UNIX and Windows systems, (3) updating business resumption plans to include UNIX and Windows systems, and (4) installing UNIX-based hardware and equipment for processing applications and data at IRS's disaster recovery hot-site.